Print Friendly and PDF

Overview of DNSSEC

When a DNS client sends a name query to a name server, it responds either with the IP address for the site or it forwards the query to another DNS server for resolution. But how can we be sure that the site being accessed are not fake since no authentication check is done when the name resolution is made, an attacker could hijack the network communication and redirect us to a malicious site.

DNSSEC Benefits

DNSSEC adds a layer of security to the DNS:

1.It confirms the authority of the originator of data sent by the DNS Server.(that the information is coming from the correct source)

2.It confirms the integrity of the data from the DNS Server(that the information you received is the same information that was sent.)

3.It provides authenticated denial of existence when the information the client trying to access do not exist.

It is not a complete solution as it do not provide confidentiality of data returned by the DNS Server,and it does not protect against denial of service attacks.

Basic support for DNSSEC was introduced in Windows Server 2003 to allow DNS servers to act as secondary DNS servers for existing DNSSEC compliant secure zones.It were not capable of signing zones and resource records or validating the Signature resource records,also all DNSSEC configuration had to be made by editing the registry on DNS Servers.

In Windows Server 2008R2 it was enhanced,but limited by being intended as a solution only for file-backed,static zones and not for Active Directory integrated zones.

Windows Server 2012 includes full DNSSEC support for Active Directory integrated DNS,including DNS dynamic updates in DNSSEC signed zones,automated trust anchor distribution through Active Directory, automated trust anchor rollover support and validation of records signed with updated DNS standards (NSEC3,RSA/SHA-2) and support for PowerShell.

Windows 7 and Windows Server 2008R2 is DNSSEC aware but nonvalidating meaning that the DNS clients can examine a response it receives to determine whether the response has been validated ,but the client can not itself validate the response it recives,this means that you should use some other method such as IPSec to secure the communication all the way. DNSSEC clients in Windows 8 and Server 2012 is still DNSSEC aware but nonvalidating,so you should still use IPSec to secure the network connection.

How DNSSEC works

DNSSEC works by combining public key infrastructure cryptography with DNS to use digital signatures and cryptographic keys to sign DNS zones and validate that the DNS responses are authentic.

DNSSEC resource records

Resource Record Signature(RRSIG): Contains digital signatures for all records in the zone.

DNS Public Key(DNSKEY): Contains the public keys for a particular zone.

Delegation Signer(DS): Indicate the public key for a child zone

Next Secure(NSEC/NSEC3): Allows the validation of a negative response. Support for NSEC3 in Windows Server 2008 R2 and Windows 7 is limited to the following:

1. Windows Server 2008 R2 can host zones signed with NSEC that has NSEC3 delegations.

2. Windows Server 2008 R2 can be a non-authoritative DNS Server configured with the trust anchor for a zone is signed with NSEC and has NSEC3 child zones.

3. Client running Windows 7 can use a non-Microsoft DNS server for DNS resolution that is aware of NSEC3.Use IPSec to secure the channel between client and server.

4. If the zone is signed with NSEC3,configure DNSSEC settings in the NRPT to not require validation.

Not supported:

1. You can not sign or host a zone that is signed with NSEC3 using a server running Windows Server 2008 R2.

2.Client computers running Windows 7 cannot perform DNSEC validation on data from a zone that has been signed with NSEC3.

3.You cannot configure a trust anchor on a server running Windows Server 2008 R2 for a zone signed with NSEC3.

4.Configuring a server running Windows Server 2008 R2 as a secondary DNS server for a zone that is signed with NSEC3 is not recommended.

Trust Anchors

A trust anchor is a preconfigured public key associated with a specific zone.It enables DNS servers to validate DNSKEY resource records for the corresponding zone establishing a chain of trust to child zones.Validating DNS servers must be configured with one or more trust anchors in order to perform DNSSEC validation.

DNSSEC key management

Key management includes planning for key generation,key storage, key expiration and key replacement.In Windows Server 2012 key management is made easier with simple and flexible key generation,Active Directory storage and replication. Windows Server 2012 also introduces the DNSSEC key master.The key master is a DNS Server that generates and manages signing keys for a zone that is protected with DNSSEC. To sign a zone with DNSSEC you must choose at least one zone signing key and one key signing key.The key signing key is an authentication key that signs all of the DNSKEY records at the root of the zone.The zone signing key is used to sign zone data.

Name Resolution Policy Table(NRPT)

The NRPT table is a table that contains rules you can configure to specify DNS settings or special behavior for names or name spaces.It can be configured using either Group Policy or PowerShell.